From: Nick Porter <nick@portercomputing.co.uk>
Date: Tue, 1 Jul 2025 16:58:32 +0000 (+0100)
Subject: Avoid producing stateful cache entries when TLS 1.3 is negotiated
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=28b65ac0722b387efbabe7571bf3f22996f23214;p=thirdparty%2Ffreeradius-server.git

Avoid producing stateful cache entries when TLS 1.3 is negotiated
---

diff --git a/src/lib/tls/cache.c b/src/lib/tls/cache.c
index ac3fb6e2b2..bab31a5870 100644
--- a/src/lib/tls/cache.c
+++ b/src/lib/tls/cache.c
@@ -742,6 +742,15 @@ static int tls_cache_store_cb(SSL *ssl, SSL_SESSION *sess)
 	 *	resumption.
 	 */
 	tls_session = fr_tls_session(ssl);
+
+	/*
+	 *	If the session is TLS 1.3, then resumption will be handled by a
+	 *	session ticket.  However, if this callback is defined, it still
+	 *	gets called.
+	 *	To avoid unnecessary entries in the stateful cache just return.
+	 */
+	if (tls_session->info.version == TLS1_3_VERSION) return 0;
+
 	request = fr_tls_session_request(tls_session->ssl);
 	tls_cache = tls_session->cache;